On-board computer, computer execution method, and computer program

ABSTRACT

An on-board computer includes a physical resource having a communication unit which communicate with an on-board control device through an on-board communication line, a control unit, and a storage unit. The on-board computer further includes a connection unit to which an external device is to be connected; and a management processing unit configured to generate a virtual control device by allocating the physical resource in a case where the external device is connected to the connection unit, wherein the virtual control device operates as a virtual on-board control device that controls an operation of the external device connected to the connection unit, and that is connected to the on-board communication line.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is the U.S. national stage of PCT/JP2020/007071 filedon Feb. 21, 2020, which claims priority of Japanese Patent ApplicationNo. JP 2019-074322 filed on Apr. 9, 2019, the contents of which areincorporated herein.

TECHNICAL FIELD

The present disclosure relates to an on-board computer, a computerexecution method, and a computer program.

BACKGROUND

A plurality of electronic control units (hereinafter, referred to as“ECUs”) connected to an on-board network are mounted in a vehicle. Forexample, the plurality of ECUs are grouped for every domain such as apower train system, a body system, and an air conditioning system, andare connected to a central gateway.

In recent years, the on-board network becomes complicated in accordancewith introduction of a connected car function always connected to theInternet, an over the air (OTA) reprogramming function, an advanceddriver-assistance systems (ADAS), an automatic driving technology, anartificial intelligence technology, and the like, and thus securemanagement and cooperative operation control of a device that isadditionally connected to the ECU or the on-board network are difficultto be carried out.

With regard to the ECUs to which devices are externally connected,Japanese Patent Laid-Open Publication No. 2016-60328 discloses anon-board device including a connection port to which a plug-and-playcompliant device is capable of being externally connected. For example,the device is a storage device for operation log writing.

On the other hand, Japanese Patent Laid-Open Publication No. 2017-87773discloses an on-board device capable of causing a plurality of functionprocessing units to independently operate by causing a physicalprocessor to operate in parallel as a plurality of virtual processorcores by a virtualization technology using a hypervisor or the like. Theon-board device according to Japanese Patent Laid-Open Publication No.2017-87773 includes a function domain that executes an application, anda backup processing domain that writes backup data of the applicationfrom a volatile memory to a non-volatile memory, and the domainsindependently operate.

In Japanese Patent Laid-Open Publication No. 2016-60328, when a deviceconnected to the connection port is caused to operate directly on an OSof the on-board device, there is a concern that the device may have anadverse effect on other applications during operation. In addition, acooperative operation between an externally connected device and anotherECU connected to the on-board network is not considered. Japanese PatentLaid-Open Publication No. 2017-87773 does not disclose a managementtechnology of an additional device.

SUMMARY

An object of the present disclosure is to provide an on-board computer,a computer execution method, and a computer program which are capable ofcausing an external device to operate in a secure manner when theexternal device is connected to the on-board computer, and are capableof connecting the external device to an on-board network in an aspectcapable of operating cooperatively with another on-board control device.

An on-board computer of the present aspect comprises a physical resourceincluding a communication unit which communicate with an on-boardcontrol device through an on-board communication line, a control unit,and a storage unit; a connection unit to which an external device is tobe connected; and a management processing unit configured to generate avirtual control device by allocating the physical resource in a casewhere the external device is connected to the connection unit, whereinthe virtual control device operates as a virtual on-board control devicethat controls an operation of the external device connected to theconnection unit, and that is connected to the on-board communicationline.

A computer execution method of the present aspect wherein an on-boardcomputer including a physical resource including a communication unitwhich communicate with an on-board control device through an on-boardcommunication line, a control unit, and a storage unit, and a connectionunit to which an external device is to be connected executes processesof determining whether or not the external device is connected to theconnection unit, and generating a virtual control device by allocatingthe physical resource in a case where a determination is made asestablishment of connection of the external device to the connectionunit, and the virtual control device operates as a virtual on-boardcontrol device that controls an operation of the external deviceconnected to the connection unit, and that is connected to the on-boardcommunication line.

A computer program of the present aspect causes an on-board computerincluding a physical resource including a communication unit whichcommunicate with an on-board control device through an on-boardcommunication line, a control unit, and a storage unit, and a connectionunit to which an external device is to be connected to execute processesof: determining whether or not the external device is connected to theconnection unit; generating a virtual control device by allocating thephysical resource in a case where a determination is made asestablishment of connection of the external device to the connectionunit; and causing the virtual control device to operate as a virtualon-board control device that controls an operation of the externaldevice connected to the connection unit, and that is connected to theon-board communication line.

Note that, this application can be realized not only as a managementprocessing unit including the specific processing units, but also as amanagement processing method including the specific process as a step,or as a program causing a computer to execute the step, as describedabove. In addition, this application can be realized as a semiconductorintegrated circuit that realizes a part or the entirety of themanagement processing unit, or as other systems including the managementprocessing unit.

Effects of Present Disclosure

According to the present disclosure, it is possible to provide anon-board computer, a computer execution method, and a computer programwhich are capable of causing an external device to operate in a securemanner when the external device is connected to the on-board computer,and are capable of connecting the external device to an on-board networkin an aspect capable of operating cooperatively with another on-boardcontrol device.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram illustrating a configuration example of anon-board communication system.

FIG. 2 is a block diagram illustrating a network configuration of theon-board communication system.

FIG. 3 is a functional block diagram of an on-board computer.

FIG. 4 is a flowchart illustrating a management procedure of a virtualECU.

FIG. 5 is a flowchart illustrating a generation procedure of the virtualECU.

FIG. 6 is a functional block diagram illustrating a state before thevirtual ECU is generated.

FIG. 7 is a functional block diagram illustrating a state in which thevirtual ECU has been generated.

FIG. 8 is a functional block diagram illustrating a state in which thevirtual ECU has been deleted.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

First, embodiments of the present disclosure will be listed anddescribed. In addition, at least parts of the following embodiments maybe arbitrarily combined.

An on-board computer of the present aspect comprises a physical resourceincluding a communication unit which communicate with an on-boardcontrol device through an on-board communication line, a control unit,and a storage unit; a connection unit to which an external device is tobe connected; and a management processing unit configured to generate avirtual control device by allocating the physical resource in a casewhere the external device is connected to the connection unit, whereinthe virtual control device operates as a virtual on-board control devicethat controls an operation of the external device connected to theconnection unit, and that is connected to the on-board communicationline.

According to this aspect, in a case where the external device isconnected to the connection unit, the management processing unitgenerates the virtual control device configured to control the operationof the external device by allocating the physical resource of theon-board computer. In other words, the virtual control device operatesas a virtual on-board control device connected to the on-boardcommunication line in substitution for the external device. Since thevirtual control device related to the external device is a device thatoperates in a virtual environment, it is possible to reduce an adverseeffect on an OS of the on-board computer and an external on-boardcontrol device. In addition, since the external device can function as avirtual control device connected to the on-board communication line, itenters a state in which a cooperative operation such as transmission andreception of data to and from another on-board control device becomespossible.

Note that, the external device is not limited to a computer device, andincludes an arbitrary device or equipment that may have an effect on anoperation of an on-board computer, another on-board control deviceconnected to the on-board communication line, and the like. Examplesthereof include a device including an actuator, a device including asensor, an image display device, an audio device, a communicationdevice, a failure diagnosis device, and the like.

It is preferable that the management processing unit performsauthentication of the external device in a case where the externaldevice is connected to the connection unit, and generates the virtualcontrol device in a case where authentication succeeds.

According to this aspect, after performing authentication of theexternal device, the virtual control device of the external device isgenerated, and thus security can be improved.

It is preferable that the management processing unit acquires a programfor causing the virtual control device related to the external device tooperate from an external server, and provides the acquired program tothe virtual control device.

According to this aspect, since the program for causing the externaldevice to operate as the virtual control device is acquired from theexternal server, it is not necessary for the storage unit of theon-board computer to store a program for the external device. That is,capacity of the storage unit can be reduced.

It is preferable that the management processing unit acquires a programfor causing the virtual control device related to the external device tooperate from the external device, and provides the acquired program tothe virtual control device.

According to this aspect, since the program for causing the externaldevice to operate as the virtual control device is acquired from theexternal device, it is not necessary for the storage unit of theon-board computer to store a program for the external device. That is,capacity of the storage unit can be reduced.

It is preferable that the management processing unit transmitsinformation for displaying progress of a process of generating thevirtual control device.

According to this aspect, since the information for displaying aprogress situation of the process of generating the virtual controldevice is transmitted, a user can confirm the progress related to theprocess of generating the virtual control device.

It is preferable that the management processing unit deletes the virtualcontrol device in a case where the external device is detached from theconnection unit.

According to this aspect, in a case where the external device isdetached from the connection unit, the virtual control device can bedeleted, and the physical resource can be released.

It is preferable that the virtual control device is retained beforeelapse of predetermined time from detachment of the external device fromthe connection unit, and the virtual control device is deleted afterelapse of the predetermined time.

According to this aspect, in a case where the external device isdetached from the connection unit, the virtual control device is deletedafter waiting elapse of predetermined time, and thus in a case where theexternal device is reconnected within the predetermined time, thevirtual control device related to the external device can be usedinstantly.

It is preferable that the management processing unit monitors anoperation of the virtual control device, and deletes the virtual controldevice in a case where the operation of the virtual control device isabnormal.

According to this aspect, in a case where the operation of the virtualcontrol device is abnormal, the virtual control device can be deleted.Accordingly, security of an on-board system can be improved.

It is preferable that the management processing unit stores logs ofgeneration, operation, and deletion of the virtual control device.

According to this aspect, logs related to generation, operation, anddeletion of the virtual control device can be left.

A computer execution method of the present aspect wherein an on-boardcomputer including a physical resource including a communication unitwhich communicate with an on-board control device through an on-boardcommunication line, a control unit, and a storage unit, and a connectionunit to which an external device is to be connected executes processesof determining whether or not the external device is connected to theconnection unit, and generating a virtual control device by allocatingthe physical resource in a case where a determination is made asestablishment of connection of the external device to the connectionunit, and the virtual control device operates as a virtual on-boardcontrol device that controls an operation of the external deviceconnected to the connection unit, and that is connected to the on-boardcommunication line.

According to this aspect, as described above, in a case where theexternal device is connected to the on-board computer, it is possible tocause the external device to operate in a secure manner. In addition,the external device can be connected to the on-board network in anaspect capable of performing a cooperative operation with anotheron-board control device.

A computer program of the present aspect causes an on-board computerincluding a physical resource including a communication unit whichcommunicate with an on-board control device through an on-boardcommunication line, a control unit, and a storage unit, and a connectionunit to which an external device is to be connected to execute processesof: determining whether or not the external device is connected to theconnection unit; generating a virtual control device by allocating thephysical resource in a case where a determination is made asestablishment of connection of the external device to the connectionunit; and causing the virtual control device to operate as a virtualon-board control device that controls an operation of the externaldevice connected to the connection unit, and that is connected to theon-board communication line.

According to this aspect, in a case where the external device isconnected to the on-board computer, it is possible to cause the externaldevice to operate in a secure manner. In addition, the external devicecan be connected to the on-board network in an aspect capable ofperforming a cooperative operation with another on-board control device.

Hereinafter, the on-board communication system according to theembodiment of the present disclosure will be described with reference tothe accompanying drawings. Note that, the scope of the invention isrepresented by the appended claims rather than being limited toexemplification, and is intended to include meaning equivalent to theappended claims and all modification in the scope.

Hereinafter, the present disclosure will be described in detail withreference to the accompanying drawings illustrating an embodiment. FIG.1 is a block diagram illustrating a configuration example of theon-board communication system, FIG. 2 is a block diagram illustrating anetwork configuration of the on-board communication system, and FIG. 3is a functional block diagram of an on-board computer 1.

The on-board communication system according to this embodiment includesthe on-board computer 1, a plurality of area ECUs 2, a terminal device 3connected to each of the area ECUs 2, a plurality of ECUs 4, an externaldevice 5, an exterior communication device 6, and a display device 7.The plurality of area ECUs 2 and ECUs 4 are connected to the on-boardcomputer 1 by a first on-board communication line 121 and a secondon-board communication line 122, respectively. The exteriorcommunication device 6 and the display device 7 are connected to aninput/output I/F 14 of the on-board computer 1. The external device 5 isdetachably connected to a connection unit 13 of the on-board computer 1.For example, the external device 5 is a computer device. However, theexternal device 5 is not limited to the computer device, and includes anarbitrary device or equipment that may have an effect on an operation ofthe on-board computer 1, the area ECUs 2 connected to the first on-boardcommunication line 121, and the ECUs 4 connected to the second on-boardcommunication line 122. Examples of the external device 5 include adevice including an actuator, a device including a sensor, an imagedisplay device, an audio device, a communication device, and a failurediagnosis device.

The on-board computer 1 includes a control unit 10, a storage unit 11, acommunication unit 12, a connection unit 13, and the input/output I/F14. The on-board computer 1 is also referred to as “central ECU”. Thecommunication unit 12 includes one or a plurality of Ethernet(registered trademark) communication units 12 a and one or a pluralityof control area network (CAN) communication units 12 b. Note that, inthis embodiment, description will be given of an example in which boththe Ethernet communication unit 12 a and the CAN communication unit 12 bare provided, but only the Ethernet communication unit 12 a may beprovided.

The storage unit 11 includes a volatile memory element such as a randomaccess memory (RAM), and a non-volatile memory element such as a flashmemory and an electrically erasable programmable read only memory(EEPROM). The storage unit 11 stores a virtualization operating system(virtualization OS) 11 a, a computer program (computer PG) 11 b, a guestOS 11 c, a dedicated program 11 d, and a general-purpose program 11 eaccording to this embodiment, and various pieces of data necessary foran operation of the control unit 10. In addition, the storage unit 11stores a table showing a correspondence relationship betweenidentification information of the external device 5, the guest OS 11 cthat is suitable for causing the external device 5 to operate as avirtual ECU 102, and the dedicated program 11 d or the general-purposeprogram 11 e.

For example, the virtualization operating system 11 a is a hypervisor.The virtualization operating system 11 a has a function of constructinga plurality of virtual environments, in which the virtual ECU 102 canoperate, on the virtualization operating system 11 a. The virtualenvironments include a virtual control unit, a virtual storage unit, avirtual Ethernet communication unit, a virtual CAN communication unit (ablank block in FIG. 3), and the like which are formed by allocating aphysical resource including the control unit 10, the storage unit 11,the communication unit 12, and the like. The virtual ECU 102 operates asthe actual physical area ECU 2 or ECU 4 by causing the guest OS 11 c andvarious programs on virtual hardware thereof. That is, the virtual ECU102 can communicate with other area ECUs 2 and ECUs 4 as each of thearea ECUs 2 connected to the first on-board communication line 121 oreach of the area ECUs 4 connected to the second on-board communicationline 122.

In addition, it is assumed that a virtual management ECU 101 thatmanages generation, an operation, and deletion of one or a plurality ofthe virtual ECUs 102 is generated in the virtualization operating system11 a. The virtual management ECU 101 always operates on thevirtualization operating system 11 a. The virtual management ECU 101 cangenerate and extinct another virtual ECU 102 by using the virtualizationoperating system 11 a. The virtual management ECU 101 can be allocatedwith a virtual storage unit 11 that stores the guest OS 11 c, thededicated program 11 d, and the general-purpose program 11 e forgenerating the virtual ECU 102, and can access the program, and thelike. The virtual ECU 102 is a device configured to control an operationof the external device 5, and operates as a virtual on-board controldevice connected to the first on-board communication line 121 or thesecond on-board communication line 122. In other words, the virtual ECU102 is a device that operates in substitution for the external device 5.In addition, the virtual management ECU 101 can monitor an operationstate of each of a plurality of the virtual ECUs 102 through thevirtualization operating system 11 a. Further, the virtual managementECU 101 can recognize an attachment or detachment state of the externaldevice 5 connected to the connection unit 13 through the virtualizationoperating system 11 a. Furthermore, it is assumed that the virtualmanagement ECU 101 can also access an external server A through theexterior communication device 6.

The computer program 11 b is a program that performs management of thevirtual ECU 102 such as generation and deletion of the virtual ECU 102that is a device configured to control an operation of the externaldevice 5 when the external device 5 is attached to or detached from theon-board computer 1, and operates as a virtual on-board control deviceconnected to the first on-board communication line 121 or the secondon-board communication line 122. For example, the computer program 11 bis executed by the virtual management ECU 101.

The guest OS 11 c is an OS for causing the virtual ECU 102 to operate.The guest OS 11 c is installed in the virtual ECU 102 including virtualhardware, and functions as a basic OS of the virtual ECU 102. Examplesof the guest OS 11 c include Autosar, Linux (registered trademark),Android (registered trademark), QNX (registered trademark), and Ubuntu(registered trademark).

The dedicated program 11 d and the general-purpose program 11 e areprograms which operate after being installed in the virtual ECU 102 thatis a device configured to control the operation of the external device 5and operates as the virtual on-board control device connected to thefirst on-board communication line 121 or the second on-boardcommunication line 122. The dedicated program 11 d is a dedicatedprogram for causing a specific external device 5 connected to theon-board computer 1 to operate. The general-purpose program 11 e is aprogram for realizing a basic function of various external devices 5 ina case where the dedicated program 11 d of the external device 5connected to the on-board computer 1 is not available.

Note that, the various programs may be written in the storage unit 11 ata manufacturing stage of the on-board computer 1. The on-board computer1 may acquire programs distributed from an external server device (notillustrated), or the like through communication. Programs recorded on arecording medium such as a memory card or optical disc may be read outby the on-board computer 1 and may be stored in the storage unit 11.Programs recorded on the recording medium may be read out by a writingdevice and may be written in the storage unit 11 of the on-boardcomputer 1. The various programs may be provided in a distributionaspect through a network. The various programs may be provided in anaspect recorded on the recording medium.

For example, the control unit 10 is constructed by using an arithmeticprocessing device such as a central processing unit (CPU) or amicro-processing unit (MPU), and reads out and executes thevirtualization operating system 11 a, the computer program 11 b, and thelike which are stored in the storage unit 11 to perform various kinds ofarithmetic processing. In addition, the control unit 10 includes a timerthat measures arbitrary elapsed time.

The Ethernet communication unit 12 a is an Ethernet PHY unit thatperforms communication in compliance with a communication protocol suchas 100BASE-T1 or 1000BASE-T1. The plurality of area ECUs 2 are connectedto the Ethernet communication unit 12 a through the first on-boardcommunication line 121 compliant to the communication protocol. Forexample, as illustrated in FIG. 2, each of the area ECUs 2 is anelectronic control unit that controls an operation of the terminaldevice 3 provided in a specific area such as a front-right, afront-left, a rear-right, and a rear-left of a vehicle C. Examples ofthe terminal device 3 include various sensors such as an on-board camerathat images the outside of a vehicle, light detection and ranging(LIDAR), and an in-vehicle camera. The terminal device 3 may be an audiodevice that outputs entertainment-based image and audio. In addition,the terminal device 3 may be an electronic control unit.

Note that, an operation and various kinds of arithmetic processing of apart or all of a plurality of the terminal devices 3 can be executed onthe on-board computer 1 side. However, from the viewpoint of systemredundancy for securing safety, it is desirable that each of the areaECUs 2 is configured to control a minimum operation of the own deviceand the terminal device 3 in a case where the on-board computer 1 isabnormally stopped.

The CAN communication unit 12 b is a CAN transceiver that performscommunication in compliance with a CAN communication protocol. Theplurality of ECUs 4 are connected to the CAN communication unit 12 bthrough the second on-board communication line 122 compliant to the CANcommunication protocol.

In a case where a plurality of the CAN communication units 12 b areprovided, the plurality of ECUs 4 are respectively connected tocorresponding CAN communication units 12 b for each of a plurality offunction domains. Examples of the plurality of function domains includea cognitive domain, a judgement domain, and an operation domain. Theon-board computer 1 functions as a relay device that relays datatransmitted and received by the ECU 4 connected to each of the CANcommunication units 12 b.

The ECU 4 pertaining to the cognitive domain is connected to a sensorsuch as an on-board camera, a LIDAR, an ultrasonic sensor, and amillimeter wave sensor. For example, the ECU 4 converts an output valueoutput from the sensor into a digital value, and transmits the digitalvalue to the ECU 4 of the judgment domain through the second in-vehiclecommunication line.

For example, the ECU 4 pertaining to the judgement domain receives datatransmitted from the ECU 4 pertaining to the cognitive domain. The ECU 4of the judgement domain generates data for exhibiting an automaticdriving function of the vehicle C on the basis of the received data, orperforms data processing process. The ECU 4 of the judgement domaintransmits the data generated, etc. to the ECU 4 of the operation domainthrough the second in-vehicle communication line.

For example, the ECU 4 pertaining to the operation domain is connectedto an actuator of a motor, an engine, a brake, or the like. The ECU 4 ofthe operation domain receives data transmitted from the ECU 4 of thejudgement domain, controls an operation of the actuator on the basis ofthe received data, and performs an operation, such as travelling,stoppage, or steering, of the vehicle C to exhibit the automatic drivingfunction.

Note that, here, description has been given of an example in which theECUs 4 connected to the CAN communication unit 12 b execute the processrelated to the cognition, judgement, and operation, but the area ECUs 2and the on-board computer 1 may execute the operation in cooperationwith each other. Particularly, it is desirable that a process requiringlarge-capacity data communication is executed by the area ECUs 2 side.In addition, high-load arithmetic processing such as arithmeticprocessing related to artificial intelligence may be executed on theon-board computer 1 side.

The connection unit 13 is a connection port configured to detachablyconnect the external device 5 to the on-board computer 1. The controlunit 10 or the virtual management ECU 101 monitors a state of theconnection unit 13 and can detect attachment or detachment of theexternal device 5. In addition, the control unit 10 transmits andreceives data to and from the external device 5 through the connectionunit 13. For example, the connection unit 13 is a USB port capable ofrealizing plug and play. Note that, the connection unit 13 may be anEthernet port or a CAN communication port. The kind of the externaldevice 5 connected to the connection unit 13 is not particularlylimited, and the external device 5 may have a configuration thatincludes, for example, a processor, a memory, and a communicationcircuit, and is capable of transmitting and receiving data to and fromthe control unit 10 of the on-board computer 1.

The input/output I/F 14 is an interface for communication with theexterior communication device 6, the display device 7, and the like. Theexterior communication device 6 and the display device 7 is connected tothe input/output I/F 14 through a wire harness such as a serial cable.

The exterior communication device 6 is a communication device thatincludes an antenna 60 for performing radio communication and performsthe radio communication through an Internet communication network suchas WiFi, and a mobile communication network such as 3G, LTE, 4G, and 5G.For example, the exterior communication device 6 is a telematics controlunit (TCU). For example, the exterior communication device 6 transmitsand receives data to and from the external server A. The external serverA stores the dedicated program 11 d necessary to cause the externaldevice 5 to operate as the virtual ECU 102. The exterior communicationdevice 6 makes a request for distribution of the necessary dedicatedprogram 11 d to the external server A, and the external server Awirelessly transmits the dedicated program 11 d to an on-boardcommunication device in correspondence with the request. The on-boardcomputer 1 can acquire the dedicated program 11 d by the exteriorcommunication device 6.

Note that, in this embodiment, description has been given on theassumption that the exterior communication device 6 and the on-boardcomputer 1 are individual bodies, but the on-board computer 1 may have aconfiguration or a function of the exterior communication device 6.

In addition, the external server A may be an OTA server. The externalserver A transmits update programs for updating programs of the on-boardcomputer 1, the area ECUs 2, the ECUs 4, and the like, and the guest OS11 c, the dedicated program 11 d, and the general-purpose program 11 efor the virtual ECU 102. The on-board computer 1 receives the updateprograms transmitted from the external server A. The on-board computer 1updates various programs of the on-board computer 1 that is an owndevice, the area ECUs 2, the ECUs 4, and the virtual ECU 102 by usingthe received update program.

For example, the display device 7 is a human machine interface (HMI)device such as a display of a car navigation. The display device 7displays data or information output from the control unit 10 of theon-board computer 1 through the input/output I/F 14.

FIG. 4 is a flowchart illustrating a management procedure of the virtualECU 102. The virtual management ECU 101 determines whether or not theexternal device 5 is connected to the connection unit 13 (step S11). Ina case where it is determined that the external device 5 is notconnected (step S11: NO), the virtual management ECU 101 returns theprocess to step S11, and waits.

In a case where it is determined that the external device 5 is connectedto the connection unit 13 (step S11: YES), recording of logs related togeneration, operation, and deletion of the virtual ECU 102 is initiated(step S12). Note that, the virtual ECU 102 may be configured to recordthe logs always regardless of establishment of connection of theexternal device 5.

Next, the virtual management ECU 101 executes a process of generatingthe virtual ECU 102 that is a device configured to control the operationof the external device 5 connected to the connection unit 13 andoperates as a virtual on-board control device connected to the firston-board communication line 121 or the second on-board communicationline 122 by using the virtualization operating system 11 a (step S13).

The process of generating the virtual ECU 102 will be described.

FIG. 5 is a flowchart illustrating a generation procedure of the virtualECU 102, FIG. 6 is a functional block diagram illustrating a statebefore the virtual ECU 102 is generated, and FIG. 7 is a functionalblock diagram illustrating a state in which the virtual ECU 102 has beengenerated.

The virtual management ECU 101 performs authentication of the connectedexternal device 5 (step S51), and determines whether or notauthentication succeeds (step S52). Authentication of the externaldevice 5 may be performed by a known method. For example, authenticationis performed by determining whether or not identification information ofthe external device 5 such as an MAC address, an IP address, and apredetermined device code matches information registered in advance inthe on-board computer 1, the ECU 4 that executes a process related toauthentication, or an external authentication server. Hereinafter, thevirtual management ECU 101 can perform communication with the externaldevice 5 as necessary, but another virtual ECU 102 cannot performinformation exchange with the external device 5, and communicationthrough the virtual management ECU 101 is also limited.

In a case where it is determined that authentication of the externaldevice 5 fails (step S52: NO), the virtual management ECU 101 does notgenerate the virtual ECU 102, and terminates the process.

In a case where it is determined that authentication of the externaldevice 5 succeeds (step S52: YES), the virtual management ECU 101initiates a process of displaying information indicating a progresssituation of the process of generating the virtual ECU 102 on thedisplay device 7 (step S53). Specifically, the virtual management ECU101 transmits information indicating initiation of generation of thevirtual ECU 102 to the display device 7. Then, the virtual managementECU 101 transmits information related to that a virtual environment hasbeen generated, information related to that the guest OS 11 c has beeninstalled, information related to that a program for the external device5 has been installed, information related to that the virtual ECU 102has become operable, or the like to the display device 7. In addition,the virtual management ECU 101 may estimate required time until thevirtual ECU 102 becomes operable, and may transmit informationindicating predicted time up to operation initiation to the displaydevice 7. The display device 7 receives information transmitted from thevirtual management ECU 101 and displays an image based on theinformation.

Next, the virtual management ECU 101 constructs a virtual environment byallocating necessary physical resources to the virtual ECU 102 that is adevice configured to control an operation of the external device 5 andoperates as a virtual on-board control device connected to the firston-board communication line 121 or the second on-board communicationline 122 by using the virtualization operating system 11 a, andgenerates the virtual ECU 102 (step S54).

Next, the virtual management ECU 101 determines whether or not thestorage unit 11 stores the dedicated program 11 d necessary to cause theexternal device 5 to operate on the basis of identification informationof the external device 5 (step S55). In a case where it is determinedthat the storage unit 11 stores the dedicated program 11 d (step S55:YES), the virtual management ECU 101 reads out the dedicated program 11d from the storage unit 11 (step S56).

In step S55, in a case where it is determined that the storage unit 11does not store the dedicated program 11 d (step S55: NO), the virtualmanagement ECU 101 determines whether or not the external device 5includes the dedicated program 11 d by performing communication with theexternal device 5 (step S57). In a case where it is determined that theexternal device 5 includes the dedicated program 11 d (step S57: YES),the dedicated program 11 d is acquired from the external device 5, andthe acquired dedicated program 11 d is stored in the storage unit 11(step S58). In addition, the virtual management ECU 101 stores acorrespondence relationship between the identification information ofthe external device 5 and the dedicated program 11 d in the storage unit11.

In step S57, in a case where it is determined that the external device 5does not include the dedicated program 11 d (step S57: NO), the virtualmanagement ECU 101 determines whether or not the dedicated program 11 dis present in the external server A (step S59). Specifically, thevirtual management ECU 101 inquires of the external server A aboutpresence or absence of the dedicated program 11 d for the externaldevice 5 by using identification information of the terminal device 3 toconfirm presence or absence of the dedicated program 11 d.

In a case where it is determined that the dedicated program 11 d ispresent in the external server A (step S59: YES), the virtual managementECU 101 acquires the dedicated program 11 d for the external device 5from the external server A and stores the dedicated program 11 d in thestorage unit 11 (step S60). The virtual management ECU 101 stores acorrespondence relationship between the identification information forthe external device 5 and the dedicated program 11 d in the storage unit11.

In step S59, in a case where it is determined that the dedicated program11 d is not present in the external server A (step S59: NO), the virtualmanagement ECU 101 refers to the table and reads out the general-purposeprogram 11 e suitable for the external device 5 from the storage unit 11(step S61).

The virtual management ECU 101 that has terminated the process in stepsS56, S58, S60, or S61 installs the guest OS 11 c in the virtual ECU 102,and subsequently installs the dedicated program 11 d or thegeneral-purpose program 11 e (step S62). That is, the virtual ECU 102stores the guest OS 11 c, and the dedicated program 11 d or thegeneral-purpose program 11 e in the allocated storage unit 11 (virtualstorage unit).

Then, in a case where generation of the virtual ECU 102 related to theexternal device 5 is completed, the virtual management ECU 101 transmitsinformation indicating completion of the generation of the virtual ECU102 to the display device 7, and terminates the process of generatingthe virtual ECU 102 (step S63).

Through the above-described processes, the virtual ECU 102 is generatedas illustrated in FIG. 6 and FIG. 7. FIG. 6 illustrates a state in whichthe external device 5 is not connected to the connection unit 13, andonly the virtual management ECU 101 operates. In this state, when theexternal device 5 is connected to the connection unit 13 as illustratedin FIG. 7, the virtual management ECU 101 issues a command or the liketo the virtualization operating to generate the virtual ECU 102 that isa device configured to control the operation of the external device 5and operates as a virtual on-board control device connected to the firston-board communication line 121 or the second on-board communicationline 122. Then, the virtual ECU 102 can communicate with another virtualECU 102 generated on the virtualization operating system 11 a, the areaECU 2 connected to the first on-board communication line 121, the ECU 4connected to the second on-board communication line 122, and the like.Of course, the virtual management ECU 101 appropriately limits a rangethat the external device 5 can access by the virtual ECU 102. Inaddition, on the contrary, a range that the area ECU 2 and the ECU 4 canaccess by the virtual ECU 102 of the external device 5 is also managed.The virtual management ECU 101 may appropriately separate the virtualECU 102 related to the external device 5 by VLAN.

As illustrated in FIG. 4, the virtual management ECU 101 that completesthe process of generating the virtual ECU 102 monitors an operation ofthe generated virtual ECU 102 (step S14), and determines whether or notthe operation of the virtual ECU 102 is abnormal. Specifically, thevirtualization operating monitors the usage amount of the physicalresources allocated to the virtual ECU 102, an access operation to theoutside, and the like, and provides information obtained through themonitoring to the virtual management ECU 101. The virtual management ECU101 acquires information related to the monitoring result from thevirtualization operating system 11 a, and determines whether or not theoperation of the virtual ECU 102 is abnormal on the basis of theacquired information.

In a case where it is determined that the operation of the virtual ECU102 is abnormal (step S15: YES), the virtual management ECU 101 deletesthe virtual ECU 102 (step S22).

In a case where it is determined that the operation of the virtual ECU102 is normal (step S15: NO), the virtual management ECU 101 determineswhether or not the external device 5 is detached from the connectionunit 13 (step S16). In a case where it is determined that the externaldevice 5 is not detached (step S16: NO), the virtual management ECU 101returns the process to step S14.

In a case where it is determined that the external device 5 is detached(step S16: YES), the virtual management ECU 101 temporarily stops theoperation of the virtual ECU 102 corresponding to the detached externaldevice 5 (step S17), and initiates time measurement (step S18). That is,the virtual management ECU 101 does not instantly delete the virtual ECU102, and retains the virtual ECU 102 in a state in which the operationcan be resumed.

Then, the virtual management ECU 101 determines whether or notpredetermined time has elapsed after the external device 5 is detached(step S19). In a case where it is determined that predetermined time haselapsed (step S19: YES), the virtual management ECU 101 deletes thevirtual ECU 102 corresponding to the detached external device 5 (stepS22).

FIG. 8 is a functional block diagram illustrating a state in which thevirtual ECU 102 has been deleted. As illustrated in FIG. 7 and FIG. 8,in a case where the external device 5 is detached from the connectionunit 13 and predetermined time has elapsed, the virtual ECU 102corresponding to the external device 5 is deleted.

Then, the physical resources of the deleted virtual management ECU 101are redistributed (step S23), and the process is terminated.

In a case where it is determined that predetermined time has not elapsed(step S19: NO), it is determined whether or not the external device 5corresponding to the virtual ECU 102 of which operation is stopped isconnected again to the connection unit 13 (step S20). Reconnection ofthe external device 5 may be determined on the basis of theidentification information of the external device 5.

In a case where it is determined that the external device 5 is notreconnected (step S20: NO), the virtual management ECU 101 returns theprocess to step S19. In a case where it is determined that the externaldevice 5 is reconnected (step S20: YES), the virtual management ECU 101resumes the operation of the virtual ECU 102 corresponding to thereconnected external device 5 (step S21), and returns the process tostep S14.

According to the on-board computer 1, the computer execution method, andthe computer program 11 b configured as described above, in a case wherethe external device 5 is connected to the on-board computer 1, it ispossible to cause the external device 5 to operate in a secure manner.In addition, the external device 5 can be connected to the on-boardnetwork in an aspect capable of performing a cooperative operation withanother on-board control device.

Since the virtual ECU 102 of the external device 5 is generated afterauthentication of the external device 5 has been performed, security canbe improved.

Since the program for causing the external device 5 to operate as thevirtual ECU 102 is acquired from the external server A, the capacity ofthe storage unit 11 can be reduced.

Since the program for causing the external device 5 to operate as thevirtual ECU 102 is acquired from the external device 5, the capacity ofthe storage unit 11 can be reduced.

Since the information for displaying a progress situation of the processof generating the virtual ECU 102 is transmitted, a user can confirm theprogress related to the process of generating the virtual ECU 102.

In a case where the external device 5 is detached from the connectionunit 13, the virtual ECU 102 can be deleted, and the physical resourcescan be released.

In a case where the external device 5 is detached from the connectionunit 13, the virtual ECU 102 is deleted after waiting elapse ofpredetermined time, and thus in a case where the external device 5 isreconnected within the predetermined time, the virtual ECU 102 relatedto the external device 5 can be used instantly.

In a case where the operation of the virtual ECU 102 is abnormal, thevirtual ECU 102 can be deleted. Accordingly, security of the on-boardsystem can be improved.

Logs related to generation, operation, and deletion of the virtual ECU102 can be left.

In this embodiment, description has been given of an example in which avirtual environment is constructed by using the hypervisor typevirtualization operating system 11 a, but the virtual environment may beconstructed by using host OS type virtualization software, that is,virtualization software operating on a basic OS.

1. An on-board computer comprising: a physical resource including acommunication unit which communicate with an on-board control devicethrough an on-board communication line, a control unit, and a storageunit; a connection unit to which an external device is to be connected;and a management processing unit configured to generate a virtualcontrol device by allocating the physical resource in a case where theexternal device is connected to the connection unit, wherein the virtualcontrol device operates as a virtual on-board control device thatincludes a virtual communication unit, a virtual control unit, and avirtual storage unit which communicate with the on-board control device,controls an operation of the external device connected to the connectionunit, and that is connected to the on-board communication line.
 2. Theon-board computer according to claim 1, wherein the managementprocessing unit performs authentication of the external device in a casewhere the external device is connected to the connection unit, andgenerates the virtual control device in a case where authenticationsucceeds.
 3. The on-board computer according to claim 1, wherein themanagement processing unit, acquires a program for causing the virtualcontrol device related to the external device to operate from anexternal server, and provides the acquired program to the virtualcontrol device.
 4. The on-board computer according to claim 1, whereinthe management processing unit, acquires a program for causing thevirtual control device related to the external device to operate fromthe external device, and provides the acquired program to the virtualcontrol device.
 5. The on-board computer according to claim 1, whereinthe management processing unit transmits information for displayingprogress of a process of generating the virtual control device.
 6. Theon-board computer according to claim 1, wherein the managementprocessing unit deletes the virtual control device in a case where theexternal device is detached from the connection unit.
 7. The on-boardcomputer according to claim 1, wherein the virtual control device isretained before elapse of predetermined time from detachment of theexternal device from the connection unit, and the virtual control deviceis deleted after elapse of the predetermined time.
 8. The on-boardcomputer according to claim 1, wherein the management processing unitmonitors an operation of the virtual control device, and deletes thevirtual control device in a case where the operation of the virtualcontrol device is abnormal.
 9. The on-board computer according to claim6, wherein the management processing unit stores logs of generation,operation, and deletion of the virtual control device.
 10. A computerexecution method, wherein an on-board computer including a physicalresource including a communication unit which communicate with anon-board control device through an on-board communication line, acontrol unit, and a storage unit, and a connection unit to which anexternal device is to be connected executes processes of, determiningwhether or not the external device is connected to the connection unit,and generating a virtual control device by allocating the physicalresource in a case where a determination is made as establishment ofconnection of the external device to the connection unit, and thevirtual control device operates as a virtual on-board control devicethat includes a virtual communication unit, a virtual control unit, anda virtual storage unit which communicate with the on-board controldevice, controls an operation of the external device connected to theconnection unit, and that is connected to the on-board communicationline.
 11. A computer program causing an on-board computer including aphysical resource including a communication unit which communicate withan on-board control device through an on-board communication line, acontrol unit, and a storage unit, and a connection unit to which anexternal device is to be connected to execute processes of: determiningwhether or not the external device is connected to the connection unit;generating a virtual control device by allocating the physical resourcein a case where a determination is made as establishment of connectionof the external device to the connection unit; and causing the virtualcontrol device to operate as a virtual on-board control device thatincludes a virtual communication unit, a virtual control unit, and avirtual storage unit which communicate with the on-board control device,controls an operation of the external device connected to the connectionunit, and that is connected to the on-board communication line.